A bug bounty program is a deal offered by many website and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by Facebook, Yahoo!, and Google, among others.

The most famous bug bounty website is HackerOne. This bounty program is primarily aimed at computer security experts who can highlight vulnerabilities that may impend on the development of web tools and applications. Hacker One is used by: Facebook, Dropbox, Vimeo, Sucuri, Twitter, WePay, CloudFlare, 99designs, Secret, Yahoo,

It comes with several conditions:

A critical flaw involving a large number of users,
A bug affecting several editors,
A bug affecting a publisher with a dominant position.

Bugcrowd was founded in 2012 by CEO Casey Ellis and CTO Chris Raethke to help level the vulnerability assessment playing field. By leveraging the economic, expertise, and sheer numbers of the crowd, the company is redefining the cybersecurity market.

It’s revolutionary approach to cybersecurity combines a proprietary vulnerability reporting platform with the largest crowd of security researchers on the planet.

Bugsheet is just a list of the companies that offer bug bounty programs. On the bugsheet website you can find the page related to bug bounty programs for a lot of companies that use bug bounty programs. So this is the place to start searching for bug bounty programs.

What is the best payed vulnerability?

Companies pay for vulnerabilities a price between $50 and $15000. There are some exceptions when were discovered critical vulnerabilities and the companies offered 6 digit rewards.

Adhere to our Responsible Disclosure Policy (above)
Be the first person to responsibly disclose the bug
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSRF)
Broken Authentication (including Facebook OAuth bugs)
Circumvention of our Platform/Privacy permission models
Remote Code Execution
Privilege Escalation
Provisioning Errors
Report a bug in Facebook or one of the following qualifying products or acquisitions:
Instagram
Parse
Onavo
Oculus
Moves
osquery
Make every effort to use a test account instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing.
Not interact with other accounts without the consent of their owners.
Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

The minimum reward that Facebook offers is $500. You can find more about Facebook bug bounty here.

Facebook’s Hall of Fame list can be found here: https://www.facebook.com/whitehat/thanks

Subscribe Now

Latest Security News

We are a team of passionate security researchers and our goal is to post hacking news, hacker news, malware and viruses news, vulnerability news, cyber crime and cyber security news. Starting from this year we will post also technology and programming news.